A North Korean agent attempted to secure a remote position at a cybersecurity firm using a stolen identity, an AI-generated resume, and a VoIP phone number. This incident, revealed in June 2025, highlights the increasing sophistication of North Korea’s IT worker schemes, making them difficult to detect without adequate screening processes.
Background on the Scheme
The operative applied for a Lead AI Architect role, masquerading as a Florida-based expert with extensive experience in AI architecture and full stack development. Although the attempt was unsuccessful, it unveiled several warning signs that illustrate the complexity of such schemes.
Since early 2023, North Korean IT workers have been infiltrating companies globally by posing as qualified remote employees. Their earnings are redirected to the North Korean government, aiding its weapons programs. This scheme affects organizations of all sizes, especially in the technology, intelligence, and cybersecurity sectors.
Methods Used by the Operative
Nisos analysts identified the suspect through a combination of Open-Source Intelligence (OSINT) research and strategic interview questions. The operative utilized IP addresses linked to the Astrill VPN network, a tool frequently used by North Korean IT workers operating from China. The provided phone number was a VoIP number, aligning with the operative’s claimed U.S. location.
The stolen identity belonged to a real Florida resident, whose personal information was used to create multiple resume accounts on various platforms. These accounts featured slightly differing educational and professional details, all connected back to the same unsuspecting individual. Nisos coordinated with law enforcement to notify the victim.
The Risks and Consequences
This type of fraud poses significant risks beyond a single job application. Employing someone involved in such schemes can lead to data breaches, intellectual property loss, regulatory fines, and substantial reputational damage. These operatives often use remote access tools to control company devices from abroad, complicating detection by standard IT security measures.
The operative crafted a false identity using AI tools and copied job description language. The resume for the Lead AI Architect role included a broad array of technical skills, many directly lifted from the job posting. This tactic is commonly employed by North Korean IT workers to bypass keyword screening filters in hiring systems.
Recommendations for Organizations
During the virtual interview on June 24, 2025, the operative’s behavior raised alarms. He frequently diverted his gaze and when questioned about a fabricated scenario, he hesitated, suggesting reliance on an AI chatbot for responses. When asked to share his screen, he abruptly ended the call, claiming prior work was inaccessible in private repositories.
Organizations are advised to perform comprehensive pre-employment OSINT checks for remote candidates, validate phone numbers and IP addresses, ask interview questions that require unscripted responses, mandate live screen sharing of past work, and monitor for recently created professional profiles with limited connections. Companies without the internal resources for these processes should collaborate with specialized intelligence and investigation firms to detect employment fraud and insider threats.
Stay informed with more updates by following us on Google News, LinkedIn, and X, and consider setting CSN as a preferred source in Google for the latest news.
